Cyber Risk 2026: Key Board Concerns and Next Steps

This article explores cyber risk through the lens of real‑world hiring, regulatory pressure, and board‑level expectations, drawing from ongoing conversations from CISOs, risk and GRC Leaders, including insights from a former Ministry of Defence specialist who now serves as the CISO of a major financial services organisation.
Written by Mark Elford, Recruitment Partner and specialist in GRC recruitment.
 

Careful, full read: 9–12 minutes

Confident skim (headings + key sections): 4–6 minutes

Cyber risk is at all-time high, the geopolitical landscape, the regulatory scrutiny, board pressure, and increasingly complex environments all factor into day-to-day activities and focus. Some observations will be anecdotal from my own experience or individuals, and there will be broad generalisations, so please take some statements with a pinch of salt if it doesn’t apply to you or you have seen otherwise. 

There are common themes between industries, they face different stakes but similar challenges. An interesting set of statistics to note from 2025:

Cyber risk article stat - Episodic intervention 44% pie chart

2025 is 44% of CEOs treat cybersecurity as an episodic intervention (Accenture)

Cyber risk article stat - critical business growth 85% pie chart

70% of CEOs only tackle cyber security post breach (Event Talk)

Cyber risk article stat - critical business growth 85% pie chart

However 85% of CEOs see cyber security as critical for business growth (Gartner)

 So, there is a discrepancy between what is talked about and the actions taken.

This article will summarise the key themes I hear in conversations with CISO’s, heads of Risk, and GRC leaders, and outline how the right people and skill sets can make the difference.

Current Cyber Risk Challenges

This section could go on for a pages and pages, so I will try to summarise the main risks highlighted by senior leadership, why they are risks, and how the market is adapting.  I will focus on the top 3 I’ve been hearing about, then bullet point the rest.

Third-Party Risk Management (TPRM)

TPRM spent much of 2025 as a checkbox exercise, pushed onto GRC with minimal depth despite growing regulatory pressure and clearer warnings about supply‑chain risk. The issue wasn’t recognition but underestimating how much of the attack surface now sits outside the perimeter, leading to shallow assessments, inconsistent scoring, and several incidents rooted in weak supplier oversight.

By 2026, budgets finally started shifting toward dedicated internal cyber TPRM and supply‑chain security teams, but capability remains thin. Most teams handle basic due diligence yet struggle with the areas that matter most: contract clauses, technical validation, and understanding the web of supplier dependencies that routinely enable indirect attacks. If organisations want TPRM to reduce risk, they need specialists – recent months have made the cost of getting it wrong very clear.

OT Skills Gap

OT expertise has always been prioritised across UK CNI, but in the private sector it stayed buried at the bottom of job descriptions as a “nice to have.” The UK Cyber Security and Resilience Bill expands regulation to managed service providers and data centres, reflecting the government’s focus on operational resilience beyond traditional CNI. Yet many organisations still underinvested in OT talent, despite the NCSC’s CAF guidance explicitly targeting OT‑heavy sectors like energy, healthcare, transport, and digital infrastructure. In practice, the talent gap wasn’t due to scarcity, it was the simple fact that OT risk wasn’t taken seriously until something broke. By the time companies tried to hire, the market had already moved, and they were competing for the same small pool of people who could bridge IT, OT, and cyber.

Culture & Awareness

Culture and awareness remained the area everyone said they valued but struggled to embed. GRC teams took it seriously, but employees still defaulted to “it won’t happen to me” thinking, especially around phishing, even though phishing still accounts for the bulk of successful attacks in most major threat reports. The problem wasn’t the training; it was the belief that cyber incidents were something that happened elsewhere. Until organisations start treating behaviour change like a business outcome rather than a compliance task, this gap will stay wide open.

56% of businesses that reported having had breaches or attacks in the last 12 months felt phishing attacks were the most disruptive (ICO). With the rise of AI (which will be tackled shortly) phishing attempts will be smarter and in a higher volume.

Frameworks & Compliance

  • Companies that treat GRC seriously stay ahead; many had already aligned to DORA, CAF updates, and NIS2 before deadlines.
  • Last‑minute scrambles usually came down to budget delays and difficulty translating regulatory change into business impact for leadership.
  • Compliance catch‑up always costs more than early investment – especially with heavier frameworks.
  • The core, career‑relevant standards that appear everywhere: ISO 27001, NIST CSF, PCI DSS, SOC 2, Secure by Design, and CMMC (particularly for US federal/defence supply chains).

Data, Operational & BAU Challenges

  • CISOs consistently cited poor, inconsistent data as a major blocker, often worse than the threat landscape itself.
  • Controls spread across Excel, SharePoint, and legacy tools lead to endless reconciliation before audits.
  • Organisations want to consolidate into JIRA, ServiceNow, Archer, OneTrust, but lack the specialists to drive adoption.
  • CAF v4.0 and board‑level demand for quantifiable dashboards (often FAIR‑influenced) make data quality a governance issue, not just an ops one.

AI & Quantum Computing

  • AI is making phishing, impersonation, and social engineering dramatically harder to detect while lowering the barrier for attackers.
  • AI‑assisted intrusion speed and fraud techniques are increasing rapidly across criminal and advanced threat groups.
  • Regulators and industry guidance are urging preparation for post‑quantum resilience, with cryptographic risk expected to emerge before 2030.
  • AI and quantum are already reshaping how organisations train staff, harden identity, and design long‑term security controls.

Talent Focus for Cyber Risk & GRC

The market has tilted towards experienced talent, graduates are in an increasingly tough position when they enter the market, and near the start of 2025 we saw a huge push towards off-shoring the lower-level roles.

What I keep hearing is the hunt for a unicorn with two horns, someone who can recite all 93 Annex A controls and redesign the entire architecture before lunch. I’m exaggerating, but only slightly. Too many companies mis‑hire by going too technical or too strategic.

At the end of the day, it’s the old analogy: right tool for the right job. Cyber professionals adapt quickly, so if someone’s 80% right and you like them, hire them. It’ll save you time, money, and maybe even a breach.

Here is a list of the top skills I’ve hired for GRC (industry dependant):

  • Framework expertise
  • TPRM
  • Stakeholder engagement
  • Assurance/resilience focus
  • Led on projects with a tangible outcome
  • OT/ICS
  • Regulatory experience

Board-Level Challenges & Solutions

I will keep this section short and brief to summarise some points already made:

What Boards Are Struggling With
  • Understanding cyber risk in a business context
  • Assurance over controls and suppliers
  • Compliance ‘noise’ from multiple frameworks
  • Budget justification and talent retention
  • Consistent, auditable reporting
 Practical Solutions
  • A single consolidated controls library mapped to core frameworks (CIS, NIST, ISO, DORA etc.)
  • Mature GRC tooling (JIRA integrations, automated evidence, workflows)
  • A cyber risk function that can translate technical controls into clear business outcomes
  • Regular board‑ready reporting: simple, visual, risk‑aligned
  • Investment in training talent to be multi-disciplinary (risk + cyber + operational understanding)
Who Should Be Involved in These Conversations?

Below is a general overview of what each sector seems to be focusing on:  

  • Retail: supply chain risk, PCI, resilience, store tech 
  • Public Sector: governance, capability development, legacy tech 
  • Financial Services: framework alignment, regulatory compliance, thirdparty risk, operational resilience 
  • Consultancies: demand for hybrid GRC/risk skill sets, client delivery pressure 
  • Any business scaling cyber risk functions: hiring, maturity building, tooling adoption 

CISO Insights

In a recent conversation with a former Ministry of Defence specialist who now serves as the CISO of a major financial services organisation, several clear themes emerged about the evolving cyberrisk landscape, and what boards need to understand to stay ahead. He was relaxed about attribution and did not require his name to be used. 

The Evolving Threat Landscape

He sees three major forces shaping the next phase of cyber risk: 

  • Geopolitical cyber pressure and spillover
  • Growing dependence on cloud-region stability
  • and AI-enabled intrusion capabilities. 

He highlighted that geopolitical tensions, not only in conventional conflicts but in broader regional instability, now have instantaneous cyber consequences. He pointed to the recent Middle East conflict, where instability affecting an AWS region in Dubai caused ripple effects and service instability within parts of the UK. In his view, cloud dependency and supplychain fragility are far more brittle in practice than the industry tends to admit. Latency spikes, SLA issues, and overstated redundancy all contribute to the challenge. 

On the AI front, he noted that the conversation often fixates on phishing, but the reality is much broader. Criminal groups and advanced threat actors are already using AI to scale reconnaissance, intrusion preparation, deepfakeenabled fraud, and highly convincing impersonations. As the NCSC has warned, these AI-enhanced intrusion capabilities are becoming more frequent and more sophisticated. 

He gave examples such as the Striker incident and similar supplychain compromises, highlighting how European operations and logistics networks can be destabilised without attackers ever targeting the intended organisation directly. In financial services specifically, he emphasised that staff, not infrastructure, are now the primary targets because of the high fraud potential. Social engineering remains the simplest and most effective attack vector. 

Ransomware, he added, continues to be the UK’s most dangerous cyber threat. While the FS sector is relatively resilient, SMEs, far weaker by comparison, face the highest exposure and will increasingly be targeted as ransomware matures into a sustained criminal “industry.” 

How Organisations Should Respond

He sees three areas as the most critical for organisations to focus on: 

  • Strengthen Identity & Access Management (IAM/IDAM)
    MFA, identity hardening, and robust access governance are the most effective blockers for lateral movement. As AI-enabled attacks scale, hardened identity becomes the frontline defence. 
  • Build Culture and Awareness, Beyond Compliance
    He argues strongly for moving away from a compliancedriven mindset and toward an assuranceoriented, “secure by design” culture. Security should be embedded early in processes, not treated as an after-the-fact checklist. Awareness should feel real and relevant, without resorting to the MoD style scare tactics he’s seen elsewhere. 
  • Improve Visibility and Monitoring Across the Entire Attack Surface
    This includes indirect and supplychain exposure, where many of today’s attacks originate. For a CISO, clarity on what truly matters enables effective prioritisation of resources. The goal, he said, is shifting from pure prevention to genuine organisational resilience. 
Communicating Effectively With Boards

When speaking to boards, he stresses the importance of translating technical threats into operational, financial, and brand impacts. He referenced the disruption at the Port of Felixstowe as a tangible example of how cyber incidents rapidly become issues of continuity, resilience, and ultimately fiduciary responsibility. 

What Boards Are Worried About Today

From his perspective, three board level concerns dominate: 

 

  • Operational disruption: regardless of whether the root cause is cyber, geopolitical, or supply chain related. 
  • Regulatory exposure: especially as regulators become stricter and penalties increasingly public. 
  • Spillover risk: threats arising not from direct attacks, but from instability elsewhere in the ecosystem. 

Interestingly, he noted a growing disconnect: while government policy appears to be softening in places, sectorspecific regulators (e.g., telecoms) are tightening expectations, making regulatory pressure a central priority for board oversight. 

Cyber risk is evolving faster than many organisations can adapt. Whether in Retail, FS, Public Sector or Consulting, leaders are wrestling with similar pressures: compliance, data, visibility, and talent.

With the right people and the right processes, the gap between where teams are and where regulators expect them to be is bridgeable. I’ll be speaking with experts over the coming weeks, if you’d like to share your perspective, I’d love to include your voice.

InfoSec People is a UK based boutique cyber and technology recruitment consultancy, built by genuine experts. Whether you’re a cyber security professional looking for a new opportunity or a business looking to build your security team, we are here to help. Contact us as our experienced recruiters are passionate about cyber security and are committed to providing exceptional service.

Call us directly on 01242 507100 to discuss opportunities or email info@infosecpeople.co.uk.

www.infosecpeople.co.uk

Linkedin